Closed
Bug 145959
Opened 22 years ago
Closed 22 years ago
CIBC online banking no longer allows login.
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: jasonb, Assigned: security-bugs)
References
()
Details
(Keywords: regression)
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0+) Gecko/20020520 BuildID: 2002052004 This may be a duplicate of bug 97034, but the description and symptoms are different so I'm entering it as a separate bug. I have been banking online with CIBC for almost a year now using Mozilla without any difficulty. As of May 20, 2002, I can no longer login. I enter my bank card information and password, click on the "Sign In" button and rather than being taken to the banking screen, I'm dumped back to the CIBC Services page. NOTE: You do not need to enter valid information. If you enter a bogus account number and/or password, the same thing will happen. Their site design has also changed since the last time I used it (and it worked) so I suspect regression on their part, rather than on the part of Mozilla. They have always posted a "warning" about the latest Mozilla/Netscape being incompatible, and for a brief period of time it did not allow you to login (as per bug 97034) - but a Mozilla fix was checked in almost a year ago (although this was not reported in bug 93034, nor was the bug closed), and it worked just fine with Mozilla since then. Now, rather than displaying, "This page cannot be viewed with the method you've chosen," it takes you back to the Services page. (Also, the Browser Security Info link DOES still work properly - it did not do so in the other bug until it was fixed.) If the CIBC site has now changed (for whatever reason) they should at least be posting a "Mozilla error" message or something when you do try to login rather than just going to the Services page for no apparent reason. Reproducible: Always Steps to Reproduce: 1. Go to the URL. 2. Enter a valid (or invalid) CIBC bank account number and password. 3. Click on "Sign In". Actual Results: You are taken to the CIBC Services page. Expected Results: Your login information should be validated and you should either be taken to the banking screen, or prompted for correct information.
Comment 1•22 years ago
|
||
Fix URL, and tested under i386 RH Linux, so OS -> All. Since CIBC no longer works with Mozilla (they used to merely not support Moz), this is a regression.
Keywords: regression
OS: Windows XP → All
Comment 2•22 years ago
|
||
Alright. I've done a bit of looking into this and so far I can rule out a useragent issue. The site is not just serving up garbage because it sees a non-IE browser. It's also not a TLS 1.0 issue (works in IE either way, doesn't work in Mozilla either way). The form action points at https://www.cibc.com/solution/service/pers/pcb/scripts/SignOn.jsp -- both browsers agree that this page will dump you right back to www.cibc.com if typed into the URL bar. So as far as I can see, there is either some funky redirecting going on server side, or more likely some funky javascript going on client side. I'll keep looking and see if I can find anything useful. Confirmed broken on RC2 (debian Linux 2.4.16) and RC3 (Windows 2000 SP2), works under IE5.01
*** Bug 151840 has been marked as a duplicate of this bug. ***
*** Bug 146503 has been marked as a duplicate of this bug. ***
This doesn't strike me as being an evang issue. Changing component.
Assignee: momoi → mstoltz
Component: English: Non-US → Security: General
Product: Tech Evangelism → Browser
QA Contact: jeesun → bsharma
Version: unspecified → other
Comment 6•22 years ago
|
||
I can certainly offer to place some pressure on CIBC and make the connection with CIBC web designer/support if needed.
Comment 7•22 years ago
|
||
As I said earlier, I did some more looking into it and after some javascript debugging, I'm *fairly* certain that Mozilla is interpreting the javascript correctly (where correctly is interpreted as the same as IE). The only thing I can imagine is that somewhere between the Form's action URL and the www.cibc.com address Mozilla ends up at, the server is sending some funky redirect, possibly due to a misunderstood header or POST value. However, I was unable to find any definite cause because my usual method for debugging such problems (tcpdump :) is not very useful for SSL connections... Good luck on this one. Note that you can get two different pages served to you by altering the User-agent to look like IE or Netscape 4, but they all end up at the same place.
Comment 8•22 years ago
|
||
*** Bug 150646 has been marked as a duplicate of this bug. ***
Comment 9•22 years ago
|
||
Just an update on the progress. I spoke with CIBC technical support today and explained our findings; it turned out that they are aware and working on this problem (looks like on their site as expected). Basically, they said that there is an initiative to enhance the web banking to support more browsers and Netscape 6/Mozilla is definitely on the list but after M$ IE 6. I have tried to place some pressure to swap the priority but unless they hear a lot from us through the feedback form or complains, IE is still on top of Mozilla. I am going to submit one today.
Comment 10•22 years ago
|
||
Using Mac OS X 10.1.5 and Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 the CIBC start URL renders as a blank page, but there is a large amount of code visible under View>Page Source. You do not need to have a CIBC account to confirm this, just enter the URL.
Assignee | ||
Comment 11•22 years ago
|
||
Do we have any idea what the problem is?
Reporter | ||
Comment 12•22 years ago
|
||
Any updates?
Comment 13•22 years ago
|
||
The bug is still happening in Mozilla 1.1b. It's easy to reproduce. Go to the URL listed, then type '1' into the Card Number field, and click the 'Sign In' image. Expected Behavior: The server tells you "incorrect card number or password" Actual Behavior: You end up at some funky URL on the http://www.cibc.com/ site that simply displays the main page. The site will display one of several different pages to you depending on what useragent you spoof yourself as, including the Netscape 4.x one if you just go with the default Mozilla useragent. This makes *no* difference to the result. All the javascript works fine as best as I can tell. I have a feeling the server is doing some really really weird HTTP-redirects, for some reason, and Mozilla gets lost. I don't know how to debug it any further than I've gotten due to the SSL connection. It *could* be some kind of bug in the way the SSL components deal with redirects, or it could be utterly insane behavior on the part of CIBC's webserver. It's hard to tell.
Reporter | ||
Comment 14•22 years ago
|
||
As of today (9/27) I was able to login to CIBC again with Mozilla (2002092704 trunk / XP). (Ironically, I discovered this because I was NOT able to login with IE - I'd click on login and nothing at all would happen. I switched to Mozilla on a pure whim to see if, by some small chance, that would do it.) As soon as somebody else can confirm that CIBC is now working with Mozilla I'll happily close this bug.
Comment 15•22 years ago
|
||
I don't know which version of Mozilla you have tried but I was on Linux earlier (MD8.1) and gave a try with Mozilla-1.0.1 and still observed the problem.
Reporter | ||
Comment 16•22 years ago
|
||
As I said in comment 14, I am using trunk build 2002092704 under XP. Would somebody please confirm/deny with the latest build?
Comment 17•22 years ago
|
||
I just tried it, it works fine on build 2002092708 on Linux 2.4.16 Yay! :D
Reporter | ||
Comment 18•22 years ago
|
||
Excellent! Since that's independent confirmation under a different OS (even better) I'm going to close this as WFM. If somebody find that it does not work with a 9/27+ build, feel free to reopen it.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Comment 19•22 years ago
|
||
Works on OS X as well with the 09/27 build.
Reporter | ||
Comment 20•21 years ago
|
||
Verifying resolution of all bugs I've reported.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•